Detections
Analytics

18.9.77.1 (NG) Ensure 'Allow auditing events in Windows Defender Application Guard' is set to 'Enabled'

Information

This policy setting allows you to decide whether auditing events can be collected from Windows Defender Application Guard (Application Guard).
The recommended state for this setting is: Enabled.
Note: Windows Defender Application Guard requires a 64-bit version of Windows and a CPU supporting hardware-assisted CPU virtualization (Intel VT-x or AMD-V). This feature is not officially supported on virtual hardware, although it can work on VMs (especially for testing) provided that the hardware-assisted CPU virtualization feature is exposed by the host to the guest VM.
More information on system requirements for this feature can be found at this link:
System requirements for Windows Defender Application Guard (Windows 10) | Microsoft Docs
Rationale:
Auditing of Application Guard events may be useful when investigating a security incident.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow auditing events in Windows Defender Application Guard
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1803 Administrative Templates (or newer).
Impact:
Application Guard will inherit its auditing policies from Microsoft Edge and start to audit system events specifically for Application Guard. Collected logs are available for review on Microsoft Edge, outside of Application Guard.
Default Value:
Disabled. (Audit event logs aren't collected for Application Guard.)
CIS Controls:
Version 6
6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting
Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format.
Version 7
6.2 Activate audit logging
Ensure that local logging has been enabled on all systems and networking devices.
6.3 Enable Detailed Logging
Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

See Also

https://workbench.cisecurity.org/files/2288

Item Details

References: CSCv6|6.2, CSCv7|6.2, CSCv7|6.3

Plugin: Windows

Control ID: 39ece5f0892349be8adc998fdb1a7c8d8faf8a1298f1e17af496f6875ec133e4